A pairwise key-agreement scheme is provided for creating key agreements non-interactively between pairs of nodes disposed in a hierarchy of nodes. The scheme is non-interactive so that any two nodes can agree on a shared secret key without interaction. In addition, the scheme is identity-based so that any given node only needs to know the identity of peer nodes to compute the shared secret key. All of the nodes are arranged in a hierarchy where an intermediate node in the hierarchy can derive the secret keys for each of its children from its own secret key and the identity of the child. Accordingly, the scheme is fully resilient against compromise of any number of leaves in the hierarchy and of a threshold number of nodes in the upper levels of the hierarchy. The scheme is well-suited for environments such as mobile ad-hoc networks (MANETs), which are very dynamic, have acute bandwidth-constraints and have many nodes are vulnerable to compromise.
|
1. A method for creating shared keys among a plurality of nodes arranged in a hierarchy, the method comprising:
using a hierarchical and threshold key distribution scheme at intermediate nodes in a computing network to compute shared keys between all intermediate nodes in the hierarchy, the threshold comprising a maximum number of intermediate nodes that can be corrupted before the computing network is compromised, the intermediate nodes located in the hierarchy between a root node in the hierarchy and terminal nodes, each intermediate node using only linear operations to compute a shared key; and
using a separate non-interactive identity-based scheme at terminal nodes in the computing network to compute shared keys only between terminal nodes in the hierarchy and to provide full resilience against any number of corruptions in the terminal nodes.
20. A non-transient computer-readable medium containing a computer-readable code that when read by a computer causes the computer to perform a method for creating shared keys among a plurality of nodes arranged in a hierarchy, the method comprising:
using a hierarchical and threshold key distribution scheme at intermediate nodes in a computing network to compute shared keys between all intermediate nodes in the hierarchy, the threshold comprising a maximum number of intermediate nodes that can be corrupted before the computing network is compromised, the intermediate nodes located in the hierarchy between a root node in the hierarchy and terminal nodes, each intermediate node using only linear operations to compute a shared key; and
using a separate non-interactive identity-based scheme at terminal nodes in the computing network to compute shared keys only between terminal nodes in the hierarchy and to provide full resilience against any number of corruptions in the terminal nodes.
2. The method of
3. The method of
4. The method of
5. The method of
identifying a linear space comprising a plurality of members, wherein the sum of any two members of the linear space is contained within the linear space and a scalar multiple of any member of the linear space is contained within the linear space;
identifying a plurality of random elements from the linear space, the plurality of random elements comprising master secret keys;
identifying a secret key at any intermediate node as a set of values wherein each value in the set of values comprises a linear combination of the master secret keys; and
using linear combinations of the master secret keys as shared keys for communications between any two intermediate nodes.
6. The method of
7. The method of
8. The method of
identifying a polynomial to be used as a master secret key, the polynomial based on a given depth of the hierarchy and a security threshold parameter comprising the maximum number of nodes that can be corrupted before all nodes in the hierarchy are compromised; and
using the identified polynomial to compute a secret key for any intermediate node.
9. The method of
10. The method of
11. The method of
12. The method of
identifying a plurality of random elements from a linear space, the plurality of random elements comprising master secret keys;
assigning to each intermediate node a set values from the master secret keys, the set of values assigned to a given intermediate node comprising a subset of secret key values associated with a parent node of that intermediate node; and
identifying a shared key between any two intermediate nodes using an intersection of the assigned sets of values for the two intermediate nodes.
13. The method of
14. The method of
15. The method of
16. The method of
17. The method of
18. The method of
identifying a first cyclic group;
identifying a hash function that converts terminal node identity vectors to integer values contained within the first cyclic group;
identifying an integer valued secret key; and
calculating a secret key for each terminal node that is a member of the first cyclic group using the identity vector of a given terminal node and the integer valued secret key in the identified hash function.
19. The method of
identifying a second cyclic group;
identifying a bilinear mapping from the first cyclic group to the second cyclic group; and
using the bilinear mapping on the secret key for a first terminal node and a hash function value generated by applying the identified hash function to a second terminal node identification vector to generate a shared key for communication between the first and second terminal nodes, the generated shared key a member of the second cyclic group.
|
The invention disclosed herein was made with U.S. Government support under Contract No. W911NF-06-3-0001 the U.S. Army. The Government has certain rights in this invention.
The present invention relates to secure communications.
Key agreement is a fundamental tool for secure communication. A key agreement scheme lets two nodes in a network agree on a shared key that is known only to them, thus allowing them to use that key for secure communication. In environments where bandwidth is at a premium, there is a significant advantage to non-interactive schemes, where two nodes can compute their shared key without any interaction. The classical Diffie-Hellman key-exchange protocol, which is described in W. Diffie and M. E. Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory, 22(6):644-654 (1976), is an example of such a non-interactive scheme. In the Diffie-Hellman key-exchange protocol, node A can compute a shared key with node B knowing only the public key of B and its own secret or private key. But each node in this protocol must still learn the public key of the other node, implying either direct communication between the nodes or some other form of coordination.
To minimize the required coordination between nodes, an identity-based key-exchange is used where the public key of a node is the name of that node. These schemes rely on a key distribution center (KDC), which is a central authority with a master secret key, to provide each node with a secret key that corresponds to the name of that node. An example of this scheme is described in R. Sakai, K. Ohgishi, and M. Kasahara, Cryptosystems Based on Pairings, Proceedings of SCIS 2000 (2000), where node A computes a shared key with node B knowing only the name of its own secret key.
Registering all nodes with just one central authority, however, is not always practical or possible. For example, in mobile ad-hoc networks (MANETs), frequent communications occur between nodes from different organizational units. In environments such as MANETs, a hierarchical system is preferred, where the central authority only needs to distribute keys to a small number of large organizations. Each of these large organizations can further distribute keys to smaller and smaller units until individual nodes obtain secret keys from their immediate unit. Such a hierarchical scheme would serve well also for tactical network applications where the organization of the network is already hierarchical in nature. Preferred schemes would be non-interactive, identity-based and hierarchical and would hold together with a strong security guarantee.
A previous attempt to provide a suitable scheme was proposed in Carlo Blundo, Alfredo De Santis, Amir Herzberg, Shay Kutten, Ugo Vaccaro, and Moti Yung, Perfectly Secure Key Distribution for Dynamic Conferences, Information and Computation, 146(1):1-23 (1998). According to the proposed scheme, each node has a secret polynomial that provides the role of a secret key. The shared key between two leaf nodes is computed by evaluating the polynomial of one node at a point that corresponds to the identity of the other. The main drawback of this proposed scheme is that security is ensured only as long as not too many nodes are compromised. Once the number of compromised nodes grows above some threshold, an attacker could learn keys of un-compromised nodes and perhaps the master secret key of the whole system. This threshold is essentially the degree of the polynomials that are used in that scheme. This vulnerability is particularly acute in MANETs, where the ad-hoc nature of the network makes it very hard to assure the integrity of nodes. In MANETs, therefore, a high enough threshold to ensure security in a realistic setting may not be possible.
Systems and methods in accordance with the present invention provide a hierarchical scheme for key distribution and communication that is fully resilient against compromise of any number of nodes in the lowest level or terminal nodes of the hierarchy. For tree structure hierarchies, these lowest level nodes are leaf nodes. In the upper levels of the hierarchy, i.e., above the leaf nodes, the scheme is resilient to the compromise of a threshold number of nodes. This combination of threshold resilience in the upper levels with full resilience in the leaves utilizes a trade-off in security. In general, upper-level nodes are often better protected, e.g., these nodes are less mobile and have better physical security among other factors, while leaf nodes are both more numerous and much more vulnerable to attack. In general, a degradation of security among the levels of the hierarchy is provided. Nodes that are lower in the hierarchy hold less secret information; therefore, corruption of these nodes is less threatening to the system as a whole.
Security analysis of exemplary embodiments of schemes in accordance with the present invention illustrates that for a hierarchical tree with a branching factor of l at each level and a security threshold set to t=l, a fully resilient scheme is obtained. A fully resilient scheme can tolerate any number of corrupted nodes, since the number of nodes at each level is less than the number of nodes that an adversary would need to break the system. In other words, when the security threshold is set to be equal to the tree branching factor, the amount of secret information is equivalent to sharing pairwise keys among all the nodes. Schemes in accordance with the present invention, however, are preferable to pairwise sharing since these schemes do not require advance knowledge of the identities of the nodes.
The secret information grows as O(t2L); therefore, these schemes can be used for moderate values of t and small values of L. However, for many practical applications this limitation is not a concern. For example, consider a tactical application where the key distribution center (KDC) resides at the central headquarters. The leaf nodes belong to individual soldiers, and the intermediate nodes are the various units, for example down to the level of battalions. The number of levels is a relatively small number. In addition, the branching factor of this tree is also small, i.e., five or six, except for the lowest level. Therefore, the threshold is also going to be a small number. Placing the threshold at six, i.e., the branching factor, provides full resilience.
In accordance with one exemplary embodiment, the present invention is directed to a method for creating shared keys among a plurality of nodes arranged in a hierarchy. The hierarchy can have a given depth. A hierarchical key distribution scheme is used to compute shared keys between intermediate nodes in the hierarchy. In one embodiment, the hierarchical key distribution scheme is a linear hierarchical key distribution scheme. In one embodiment, a tree hierarchy is established among the plurality of nodes, the terminal nodes corresponding to the leaf nodes in the tree hierarchy. These intermediate nodes are located in the hierarchy between a root node in the hierarchy and terminal nodes. Each intermediate node uses only linear operations to compute a shared key. In a hierarchy of given depth, the terminal nodes are located at a level in the in the hierarchy corresponding to the given depth of the hierarchy. In addition, a non-interactive identity-based scheme is used to compute shared keys between terminal nodes in the hierarchy.
In one embodiment, use of the hierarchical key distribution scheme includes identifying a linear space containing a plurality of members wherein the sum of any two members of the linear space is contained within the linear space and a scalar multiple of any member of the linear space is contained within the linear space. A plurality of random elements is identified from the linear space such that the plurality of random elements constitutes master secret keys. A secret key is identified at any intermediate node as a set of values wherein each value in the set of values is a linear combination of the master secret keys. These linear combinations of the mast secret keys are used as shared keys for communications between any two intermediate nodes. In one embodiment, the number of values to be included in each intermediate node secret key is determined deterministically from public information, and all coefficients in any liner combination of the master secret keys are derived deterministically from public information.
In one embodiment, the hierarchical key distribution scheme is a polynomial-based linear hierarchical key distribution scheme is a polynomial-based scheme. In this scheme, a polynomial to be used as a master secret key is identified. The polynomial is based on a given depth of the hierarchy and a security threshold parameter expressing a maximum number of nodes that can be corrupted before all nodes in the hierarchy are compromised. The identified polynomial is used to compute a secret key for any intermediate node. In one embodiment, using the hierarchical key distribution scheme includes establishing a shared key from communication between two intermediate nodes by evaluating the polynomial at one of the intermediate node using values corresponding to the other intermediate node. In one embodiment, a key distribution center disposed at the root node in the hierarchy is used to identify the polynomial.
In one embodiment, the hierarchical key distribution scheme is a subset-based scheme. In the subset-based scheme, a plurality of random elements is identified from a linear space, the plurality of random elements constituting master secret keys. A set of values from the master secret keys is assigned to each intermediate node. Each set of values assigned to a given intermediate node includes a subset of secret key values associated with a parent node of that intermediate node. A shared key between any two intermediate nodes is identified using an intersection of the assigned sets of values for the two intermediate nodes. In one embodiment, a central authority disposed at the root node is used to identify the plurality of random elements. When using the central authority to identify a pre-determined plurality of numbers, each number has a value between 0 and 1, and the central authority is used to identify a cryptographic hash function. In one embodiment, the subset of parent node secret key values is computed deterministically using an identity of that intermediate node.
In one embodiment, use of the non-interactive identity-based scheme includes acquiring shared keys between any two terminal nodes without requiring communication between the two terminal nodes. In addition, for each terminal node, a common shared key between parent nodes of the two terminal nodes is used in combination with an identification of the other terminal node to calculate the shared key.
In one embodiment, a first cyclic group is identified, and a hash function that converts terminal node identity vectors to integer values contained within the first cyclic group is also identified. An integer valued secret key is identified, and a secret key for each terminal node that is a member of the first cyclic group is calculated using the identity vector of a given terminal node and the integer valued secret key in the identified hash function. In addition, a second cyclic group is identified, and a bilinear mapping from the first cyclic group to the second cyclic group is identified. The bilinear mapping is used on the secret key for a first terminal node and a hash function value generated by applying the identified hash function to a second terminal node identification vector to generate a shared key for communication between the first and second terminal nodes. The generated shared key a member of the second cyclic group.
Exemplary embodiments of systems and methods in accordance with the present invention utilize a linear hierarchical key distribution system in combination with an identity-based key exchange protocol. Referring to
A linear hierarchical key distribution scheme is defined over a linear space V, that is a set over which two operations are defined, addition (take two elements v and u in V and the value v+u is also in V), and scalar multiplication (given an integer a and an element v in V the value av is also in V). Given a sets of elements v1, v2, . . . vm in V, an element v is called a linear combination of those elements if there exists integers a1, a2, . . . am (called coefficients) such that v=a1v1+a2v2+ . . . +amvm
In a linear hierarchical key distribution scheme the following properties are satisfied. First, the central authority selects N random elements from V, to be used as the master secret keys. Second, the secret key of each node in the hierarchy includes a set of values v1, v2, . . . vm in V, each of which is a linear combination of the master secret keys. Third, the shared key between every two nodes is an element of V, which is also a linear combination over V of the master secret keys. Fourth, the number of values in each node's secret key and all the coefficients in the linear combinations mentioned above are derived deterministically from public information. This public information includes the position of a node in the hierarchy and the identity of this node. In a hierarchical scheme, an internal node will provide its children with values that are a linear combination of its own values, which are be linear combinations of the master secret keys.
An example of a linear hierarchical key distribution scheme is a polynomial-based scheme. In the polynomial-based scheme, shared keys for communication 110 between nodes, including leaf nodes and intermediate nodes, in the hierarchy are determined using a pre-defined polynomial that is used for all of the nodes and is based on the depth of the hierarchy and the security threshold, called the threshold parameter. The security threshold expresses the maximum number of nodes that can be corrupted before the entire system of nodes is said to be compromised. For a desired threshold parameter t, the KDC identifies a random polynomial over Zq for a large enough prime q that is represented by F(x1, y1, . . . , xL, yL). The selected polynomial has a degree t in each variable such that F(x1, y1, . . . , xL, yL)≡F(y1x1, . . . , yL, xL), i.e., such that the polynomial is symmetric between the x's and y's. One way to choose such a polynomial is to choose a random polynomial f on the same variables and then to set F(x1, y1, . . . , xL, yL)=f(x1, y1, . . . , xL, yL)+f(y1, x1, . . . , yL, xL). The size of the description of F is (t+1)2L. Therefore, this scheme is used with moderate values of t and small values of L.
The master secret key of the polynomial-based key distribution system is the identified polynomial F. This master secret key is used to determine the secret key of any node within the system and, therefore, the secret key to be used in communications between any two nodes within the system. For example, the secret key of a node with the identity I in the first level of the hierarchy is the polynomial FI=F(I, y1, x2, y2, . . . ). This polynomial has 2L−1 variables. Similarly, the secret key of a node at level i with identity {right arrow over (I)}=I1, . . . , Ii is the polynomial F{right arrow over (I)}=F(I1, y1, . . . , Ii, yi, xi+1, yi+1, . . . ) that has 2L−i variables, and the secret key of the leaf with identity I1, . . . , IL is the polynomial in L variables F(I1, y1, . . . , IL, yL).
Using this polynomial-based scheme, the shared key between two nodes disposed at the lowest level in the hierarchy, i.e., the two leaf nodes In, . . . , IL and J1, . . . , JL is the value of the polynomial F(I1, J1, . . . , IL, JL)=F(J1, L1, . . . , JL, IL). Each node computes the shared key by evaluating its own secret polynomial on the points that correspond to the identity of the peer node with which a given node wants to communicate. As long as the number of compromised nodes in each level is not too big, this scheme provides information-theoretic security for the keys. For example, let Ci be the number of compromised nodes in level i of the tree. As long as
is satisfied, an attacker has no information about the keys that are shared between any two non-compromised nodes.
Another example of a linear hierarchical key distribution scheme is the subset-based scheme that was first described in Eschenauer and Gligor, A key-management scheme for distributed sensor networks, Proceedings of the 9th ACM conference on Computer and Communications Security, ACM-CCS'02, pages 41-47, ACM, 2002. Generally in this scheme, the central authority selects N random elements from V, to be used as the master secret keys. The secret key of each node in the hierarchy includes values v1, v2, . . . vm in V, which are a subset of the secret keys held by its parent. This subset is computed deterministically by the parent using the identity of the node. The shared key between every two nodes is the intersection of the set of values held by those two nodes.
More specifically, in a subset-based key distribution scheme the central authority chooses N random integers v1, v2, . . . v modulo a large prime q. Each node in the hierarchy holds a subset of v1, v2, . . . vN as its secret key. The authority also chooses L parameters p1, . . . , pL where each pj is a number between 0 and 1, and a cryptographic hash function H. The parameters L, H and p1, . . . , PL are known to everyone.
Let <I1, . . . , Ii> be an internal node at level i in the hierarchy and <I1, . . . , Ii, Ii+1> be one of its children. Let R={K1, . . . Kn} be the secret keys held by of node <I1, . . . , Ii>. The parent node computes rj=H(I1, . . . , Ii, Ii+1, j) for each j=1 . . . n. If rj<pj then the child node receives Kj.
Two leaf nodes <I1, . . . , IL> and <J1, . . . , JL> can repeat the entire process above to identify the intersection of their secret keys sets. Their shared key is computed as the sum modulo q of all the keys in the intersection.
It is possible to show that if one wants to tolerate the corruption of at most ti nodes at each level, then the optimal choice for the parameter pi is 1/(ti+1). Also by choosing N large enough we can make the probability that the attacker finds the shared key of any non-corrupted nodes negligible. If N=c eLπiti(ti+1) for a constant c, then the probability that an adversary that corrupts at most ti nodes at level i of the hierarchy will learn the shared key of any pair of uncorrupted nodes with probability at most e−c.
Regarding bilinear maps and the bilinear decisional Diffie-Hellman (BDDH) problem, let G1 and G2 be two cyclic groups of order q for some large prime q. In addition, let e be a mapping e: G1×G1→G2. The mapping e is:
An algorithm A has advantage ε solving the BDDH in(G1, G2, e) if
Pr[A(P,Pa,Pb,Pc,e(P,P)abc)=1]−Pr[A(P,Pa,Pb,Pc,e(P,P)r)=1]≧ε
where the probability is over the random choice of PεG1, a, b, c, rεZq, and the internal randomness of A. The BDDH assumption (with respect to G1, G2, e) states that feasible adversaries can have only an insignificant advantage.
Given this, the non-interactive identity-based key agreement scheme, which was not hierarchical, was proposed in R. Sakai, K. Ohgishi, and M. Kasahara, Cryptosystems Based on Pairings, Proceedings of SCIS 2000 (2000). In this identity-based agreement scheme, a KDC sets up the parameters for an identity-based public key system by fixing two cyclic groups G1, G2 such that the first group maps to the second group through the bilinear map e: G1×G1→G2. In addition, the identity-based scheme chooses a cryptographic hash function H: {0,1}*→G1. Therefore, the hash function converts identities to a value contained within the first cyclic group. An integer-valued secret key sεZq is chosen. A given node having the identity ID is provided with the secret key SID=H(ID)sεG1, since an integer multiple of a value from the cyclic group will also be contained within the cyclic group.
In addition to calculating a secret key for each node, shared keys for communication between two nodes are required such that communication between the nodes is not required in order to exchange the shared keys. The shared key between two nodes with identities ID1 and ID2 is K=e(H(ID1), H(JD2))sεG2. Therefore, the shared keys are contained in the second cyclic group to which the first cyclic group can be mapped by definition. The individual nodes can compute the appropriate shared key independently by setting K=e(SID
Exemplary embodiments of systems and methods in accordance with the present invention utilize a combination of the linear hierarchical scheme with the non-interactive identity-based scheme. In accordance with exemplary embodiments of the present invention, a hierarchical identity-based key agreement scheme is provided that is secure against any number of corruptions in the lowest level of the hierarchy. A key distribution center (KDC) 102 and a hierarchy of authorities, e.g., intermediate nodes 104, are provided that issue keys to nodes lower in the hierarchy. Any two leaves 103 within the hierarchy can establish a shared key for communication 110 non-interactively. In general, systems and methods in accordance with the present invention utilize a combination of a hierarchy and threshold scheme with a scheme that provides full resilience for leaf nodes. In the linear hierarchical scheme each node uses only linear operations to compute the shared key with another node. Let s be such shared key. Therefore a leaf node with identity ID can perform this linear computation “in the exponent”, thereby obtaining the secret H(ID)s as needed for the leaf node full resiliency scheme, i.e., the identity-based scheme described above.
In one embodiment, a KDC is utilized that knows the arrangement or topology of the nodes within the hierarchy including the depth of that hierarchy (denoted L) and the desired threshold (denoted t). The KDC sets up the parameters for an identity-based public key system by fixing two cyclic groups G1, G2 of order q and the bilinear map e: G1×G1→G2 between these two groups. The KDC identifies two hash functions {tilde over (H)}: {0,1}*→Zq and H: {0,1}*→G1. In addition, a master secret key polynomial F is established for an L-level hierarchy with threshold t as described above for the polynomial-based key distribution system.
The system utilizes two different schemes to calculate shared keys. One scheme is used for all intermediate nodes 104, i.e., all nodes between the root node (KDC) 102 and the lowest level or leaf nodes 103. A separate scheme is used to calculate shared keys for the leaf nodes 103. In one embodiment, secret keys and shared keys for the intermediate nodes 104 are calculated using the polynomial-based scheme. The secret keys and shared keys of the leaf nodes 103 are calculated using a modification of the non-interactive identity-based key agreement scheme.
In one embodiment, the secret keys of all the intermediate nodes (up to level L) are derived using the polynomial-based scheme described above. An intermediate node is a node between the root node or KDC and any leaf node. Every node, including leaf nodes and intermediate node, has an associated location identification vector 108 that describes the path through the hierarchy to a given node. The intermediate node identification vector contains a plurality of values, and each value is the root or branch that is taken at a given node or level of the hierarchy to reach the given node. In one embodiment,
is the identity or identification location vector of a node at level i≦L of the hierarchy. The identified hash function that produces values that are a member of the identified first cyclic group takes the location identification vector as an input and produces an integer valued location identifier. An integer identifier is produced for every node in the path to the given node. Therefore, for every j≦i, the integer Ij={tilde over (H)}(ID1, . . . , IDj)εZq is computed. These integer values are used in the identified polynomial to produce the secret key for any intermediate node in the hierarchy. Thus, the secret key of {right arrow over (ID)}|i includes all the coefficients of the polynomial with 2L−i variables
FID|
These secret keys and the polynomials are used to compute shared keys for communication between intermediate nodes in the hierarchy. The shared keys between intermediate nodes, and in particular between intermediate nodes that are parent nodes of the lowest level or leaf nodes, are also used in the non-interactive calculation of shared keys between leaf nodes.
In one embodiment, the secret key between any pair of two leaf nodes, for example a first and second leaf node, are computed as follows. Let {right arrow over (ID)}=(ID1, . . . , IDj be a node at level L, and let α1, α2, . . . be all the coefficients of the polynomial F{right arrow over (ID)} (in canonical order). Consider a first leaf node under the intermediate node {right arrow over (ID)} that has identity ({right arrow over (ID)},IDL+1). This intermediate node is the parent node of the first leaf node. An integer valued location identification is calculated using an identification vector for the first leaf node, IL+1=H({right arrow over (ID)},IDL+1)εG1. This integer value is raised to the power of each coefficient from the polynomial of the parent node, and the secret key of the leaf node is set to (IL+1)α
Therefore, given all the values (IL+1)α, a leaf node can compute (IL+1)F
Consider now two leaf nodes, a first leaf node IDA under the intermediate node {right arrow over (ID)}=ID1, . . . , IDL and a second leaf node IDB under the intermediate node {right arrow over (ID)}=ID′1, . . . , ID′L The location identification vectors for the intermediate nodes are identified and used as inputs in the hash function to produce integer valued identifications for the intermediate nodes. These integer values are members of the first cyclic group. For example, Ii={tilde over (H)}(ID1, . . . , IDi) and Ji={tilde over (H)}(ID′1, . . . , ID′i) are the hash values that are obtained for the first and second intermediate nodes {right arrow over (ID)} and {right arrow over (ID)}′. The resulting vectors are {right arrow over (I)}=I1, . . . , IL and {right arrow over (J)}=(J1, . . . , JL Let s({right arrow over (ID)}, {right arrow over (ID)}′) be the “Blundo secret key”, i.e., the shared key, that is defined for the first and second intermediate nodes {right arrow over (ID)} and {right arrow over (ID)}′. Therefore, s({right arrow over (ID)}, {right arrow over (ID)}′)=F{right arrow over (ID)}({right arrow over (J)})=F{right arrow over (ID)}′({right arrow over (I)}). This common shared key can be used at each leaf node under the corresponding intermediate node to non-interactively and independently calculate a shared node for communication between the first and second leaf nodes. For example, the shared key between the first and second leaf nodes ({right arrow over (ID)}, IDA) and ({right arrow over (ID)}′, IDB) is defined as
k=e(IL+1,JL+1)s({right arrow over (ID)},{right arrow over (ID)}′), where IL+1=H({right arrow over (ID)},IDA) and JL+1=H({right arrow over (ID)}′,IDB)
The first leaf node ({right arrow over (ID)}, IDA) can compute this value by computing S=(IL+1)F
In another embodiment, the secret keys of all the intermediate nodes (up to level L, i.e., parents of leaf nodes, are derived using the subset-based scheme described above. Let <I1, . . . , IL> be the parent of a leaf node and let R={K1, . . . Kn} be the secret keys it holds. Let ID=H(I1, . . . , IL+1) be the hash of the identity of one of its leaf nodes, then this node receives the values Si=IDKi
Let <I1, . . . , IL+1> and <J1, . . . , JL+1> be two leaves, with ID=H(I1, . . . , IL+1) and JD=H(J1, . . . , JL+1). Let IR be the intersection of the values held by their parents, i.e., IR={K1 . . . Kn′} where both <I1, . . . , IL> and <J1, . . . , JL> know Kj. For each Kj in IR, the leaf <I1, . . . , IL+1> holds Sj=IDKj and the leaf <J1, . . . , JL+1> holds Tj=JDKj. Let K be the sum of all the Kj in IR. Then the leaf <I1, . . . , IL+1> holds S=IDK=πjSj=IDΣKj and the leaf <J1, . . . , JL+1> holds T=JDK=πjSj=JDΣKj. The shared key between these two leaves is e(ID,JD)K=e(S,JD)=e(ID,T).
Any attack against nodes arranged in hierarchies and provided with shared keys using schemes in accordance with the present invention (when using G1, G2, e translates to an attack that solves BDDH in the same groups with the same advantage. That is, there exists a reduction in the random oracle model from breaking the scheme to solving BDDH, which preserve the advantage and complexity of the attacker.
In both embodiments, the BDDH assumption could be replaced with the computational BDDH assumption, by replacing the key e(I,J)s by its hash H′(e(I,J)s) with H′ yet another random oracle. H only needs to ensure that the linear system has full rank.
Methods and systems in accordance with exemplary embodiments of the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment containing both hardware and software elements. In a preferred embodiment, the invention is implemented in software, which includes but is not limited to firmware, resident software and microcode. In addition, exemplary methods and systems can take the form of a computer program product accessible from a computer-usable or computer-readable medium providing program code for use by or in connection with a computer, logical processing unit or any instruction execution system. For the purposes of this description, a computer-usable or computer-readable medium can be any apparatus that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. Suitable computer-usable or computer readable mediums include, but are not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems (or apparatuses or devices) or propagation mediums. Examples of a computer-readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk and an optical disk. Current examples of optical disks include compact disk-read only memory (CD-ROM), compact disk-read/write (CD-R/W) and DVD.
Suitable data processing systems for storing and/or executing program code include, but are not limited to, at least one processor coupled directly or indirectly to memory elements through a system bus. The memory elements include local memory employed during actual execution of the program code, bulk storage, and cache memories, which provide temporary storage of at least some program code in order to reduce the number of times code must be retrieved from bulk storage during execution. Input/output or I/O devices, including but not limited to keyboards, displays and pointing devices, can be coupled to the system either directly or through intervening I/O controllers. Exemplary embodiments of the methods and systems in accordance with the present invention also include network adapters coupled to the system to enable the data processing system to become coupled to other data processing systems or remote printers or storage devices through intervening private or public networks. Suitable currently available types of network adapters include, but are not limited to, modems, cable modems, DSL modems, Ethernet cards and combinations thereof.
In one embodiment, the present invention is directed to a machine-readable or computer-readable medium containing a machine-executable or computer-executable code that when read by a machine or computer causes the machine or computer to perform a method for creating shared keys among a plurality of nodes arranged in a hierarchy of given depth in accordance with exemplary embodiments of the present invention and to the computer-executable code itself. The machine-readable or computer-readable code can be any type of code or language capable of being read and executed by the machine or computer and can be expressed in any suitable language or syntax known and available in the art including machine languages, assembler languages, higher level languages, object oriented languages and scripting languages. The computer-executable code can be stored on any suitable storage medium or database, including databases disposed within, in communication with and accessible by computer networks utilized by systems in accordance with the present invention and can be executed on any suitable hardware platform as are known and available in the art including the control systems used to control the presentations of the present invention.
While it is apparent that the illustrative embodiments of the invention disclosed herein fulfill the objectives of the present invention, it is appreciated that numerous modifications and other embodiments may be devised by those skilled in the art. Additionally, feature(s) and/or element(s) from any embodiment may be used singly or in combination with other embodiment(s) and steps or elements from methods in accordance with the present invention can be executed or performed in any suitable order. Therefore, it will be understood that the appended claims are intended to cover all such modifications and embodiments, which would come within the spirit and scope of the present invention.
Halevi, Shai, Gennaro, Rosario, Rabin, Tal, Krawczyk, Hugo M
Patent | Priority | Assignee | Title |
10237061, | Sep 25 2015 | International Business Machines Corporation | Generating master and wrapper keys for connected devices in a key generation scheme |
10805073, | Sep 25 2015 | International Business Machines Corporation | Generating master and wrapper keys for connected devices in a key generation scheme |
8964988, | Jul 23 2010 | Nippon Telegraph and Telephone Corporation | Secret sharing system, sharing apparatus, share management apparatus, acquisition apparatus, secret sharing method, program and recording medium |
Patent | Priority | Assignee | Title |
7043024, | Apr 18 2001 | JPMORGAN CHASE BANK, N A , AS ADMINISTRATIVE AGENT | System and method for key distribution in a hierarchical tree |
20020044657, | |||
20020108036, | |||
20030076958, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Mar 06 2008 | International Business Machines Corporation | (assignment on the face of the patent) | / | |||
Mar 13 2008 | GENNARO, ROSARIO | International Business Machines Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 020669 | /0941 | |
Mar 13 2008 | HALEVI, SHAI | International Business Machines Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 020669 | /0941 | |
Mar 13 2008 | KRAWCZYK, HUGO M | International Business Machines Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 020669 | /0941 | |
Mar 13 2008 | RABIN, TAL | International Business Machines Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 020669 | /0941 |
Date | Maintenance Fee Events |
Nov 25 2016 | REM: Maintenance Fee Reminder Mailed. |
Apr 16 2017 | EXP: Patent Expired for Failure to Pay Maintenance Fees. |
Date | Maintenance Schedule |
Apr 16 2016 | 4 years fee payment window open |
Oct 16 2016 | 6 months grace period start (w surcharge) |
Apr 16 2017 | patent expiry (for year 4) |
Apr 16 2019 | 2 years to revive unintentionally abandoned end. (for year 4) |
Apr 16 2020 | 8 years fee payment window open |
Oct 16 2020 | 6 months grace period start (w surcharge) |
Apr 16 2021 | patent expiry (for year 8) |
Apr 16 2023 | 2 years to revive unintentionally abandoned end. (for year 8) |
Apr 16 2024 | 12 years fee payment window open |
Oct 16 2024 | 6 months grace period start (w surcharge) |
Apr 16 2025 | patent expiry (for year 12) |
Apr 16 2027 | 2 years to revive unintentionally abandoned end. (for year 12) |